PowerShell to Add a Workstation to a User’s Log On To Property

Use PowerShell to manage an Active Directory user's LogonWorkstations property.

It’s easy enough to use ADUC or ADAC to┬áchange the list of computers that a user account is authorized to logon to, but sometimes (like, whenever possible!) you need to use PowerShell. Let’s start by seeing what workstations the user is allowed to logon to now…

PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | Format-List Name, LogonWorkstations

Name : Jay Test
LogonWorkstations : testpc

This tells us that the user, Jay Test, is only allowed to authenticate from the computer named “testpc”. The LogonWorkstations field is a little funny in that it appears to be an array when you look at it in a GUI tool like Active Directory Users and Computers, but it’s actually just a text string with the names of individual computers separated by a comma.

Changing the value from one computer name to another is simple enough:

PS C:\> Set-ADUser jay.test -LogonWorkstations "newpc"

The LogonWorkstations property for jay.test now contains only the computer named “newpc”, and this account can no longer logon to “testpc”. (Note: the LogonWorstations property is not case sensitive. “NEWPC” is the same as “newpc”.)

However, if you want to add a workstation instead of replacing one, you might do it this way…

  1. Save the current value of the LogonWorkstations property to a string variable.
    PS C:\> $Workstations = (Get-ADUser jay.test `
    -Properties LogonWorkstations).LogonWorkstations
  2. Add the new workstation to the string and don’t forget the comma.
    PS C:\> $Workstations += ",oldpc"
  3. Save the value back to the LogonWorkstations property.
    PS C:\> Set-ADUser jay.test -LogonWorkstations $Workstations

Now, when you get the new value from AD, you’ll see the new computer:

PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | `
Format-List Name, LogonWorkstations

Name : Jay Test
LogonWorkstations : newpc,oldpc

If you check in ADUC, you’ll see it like this:

LogonWorkstations property shown as Log On To in ADUC

It’s a bit more complicated if you want to remove a computer from the list, but here’s one way to do it:

  1. Save the list of computers in an array. This cmdlet will split the comma-delimited value of LogonWorkstations into an array.
    PS C:\> $Workstations = (Get-ADUser jay.test -Properties `
    LogonWorkstations).LogonWorkstations.split(',')
    PS C:\> $Workstations
    comp1
    comp2
    comp3
    comp4
  2. Remove the computer from the resulting array.
    PS C:\> $Workstations = $Workstations | Where-Object {$_ -ne "comp3"}
    PS C:\> $Workstations
    comp1
    comp2
    comp4
  3. Convert the new list, without computer “comp3”, to a string of comma-separated values.
    PS C:\> $Workstations = $Workstations -join ","
    PS C:\> $Workstations
    comp1,comp2,comp4
  4. Save the new workstations list back to the user object.
    PS C:\> Set-ADUser jay.test -LogonWorkstations $Workstations

Now, when you retrieve the list of allowable workstations for the user, you’ll see the list without the computer you removed:

PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | `
Format-List Name, LogonWorkstations

Name : Jay Test
LogonWorkstations : comp1,comp2,comp4

Finally, if you want to remove all workstation restrictions on a user account, this is probably the easiest of all of these tasks to do:

PS C:\> Set-ADUser jay.test -LogonWorkstations $Null

Leave a Reply

Your email address will not be published. Required fields are marked *